Windows Server 2012 R2 Pocket Consultant: Storage, Security, & Networking (2014)

Chapter 1. Managing file systems and drives

§ Managing the File And Storage Services role

§ Adding hard drives

§ Working with basic, dynamic, and virtual disks

§ Using basic disks and partitions

§ Compressing drives and data

§ Encrypting drives and data

A hard drive is the most common storage device used on network workstations and servers. Users depend on hard drives to store their word-processing documents, spreadsheets, and other types of data. Drives are organized into file systems that users can access either locally or remotely.

Local file systems are installed on a user’s computer and can be accessed without remote network connections. The C drive, which is available on most workstations and servers, is an example of a local file system. You access the C drive by using the file path C:\.

On the other hand, you access remote file systems through a network connection to a remote resource. You can connect to a remote file system by using the Map Network Drive feature of File Explorer.

Wherever disk resources are located, your job as a system administrator is to manage them. The tools and techniques you use to manage file systems and drives are discussed in this chapter. Chapter 2, looks at partition management, volume sets, and fault tolerance.

Managing the File And Storage Services role

A file server provides a central location for storing and sharing files across the network. When many users require access to the same files and application data, you should configure file servers in the domain. Although all servers are configured with basic file services, you must configure the File And Storage Services role and add any additional role services that might be needed.

Table 1-1 provides an overview of the role services associated with the File And Storage Services role. When you add any needed role services to a file server, you might also want to install the following optional features, available through the Add Roles And Features Wizard:

§ Windows Server Backup. The standard backup utility included with Windows Server 2012 R2.

§ Enhanced Storage. Supports additional functions made available by devices that support hardware encryption and enhanced storage. Enhanced storage devices support Institute of Electrical and Electronics Engineers (IEEE) standard 1667 to provide enhanced security, which can include authentication at the hardware level of the storage device.

§ Multipath I/O. Provides support for using multiple data paths between a file server and a storage device. Servers use multiple I/O paths for redundancy in case of the failure of a path and to improve transfer performance.

Binaries needed to install roles and features are referred to as payloads. With Windows Server 2012 R2, payloads are stored in subfolders of the %SystemDrive% \Windows\WinSXS folder. If the binaries for the tools have been removed, you might need to install the tools by specifying a source.

Table 1-1. Role services for file servers

IMPORTANT

If payloads have been removed and you don’t specify a source, payloads are restored via Windows Update by default. However, Group Policy can be used to control whether Windows Update is used to restore payloads and to provide alternate source paths for restoring payloads. The policy with which you want to work is Specify Settings For Optional Component Installation And Component Repair, which is under Computer Configuration\Administrative Templates\System. This policy also is used for obtaining payloads needed to repair components.

You can configure the File And Storage Services role on a server by following these steps:

1. In Server Manager, tap or click Manage, and then tap or click Add Roles And Features, or select Add Roles And Features in the Quick Start pane. This starts the Add Roles And Features Wizard. If the wizard displays the Before You Begin page, read the Welcome text, and then tap or click Next.

2. On the Installation Type page, Role-Based Or Feature-Based Installation is selected by default. Tap or click Next.

3. On the Server Selection page, you can choose to install roles and features on running servers or virtual hard disks. Either select a server from the server pool or select a server from the server pool on which to mount a virtual hard disk (VHD). If you are adding roles and features to a VHD, tap or click Browse and then use the Browse For Virtual Hard Disks dialog box to locate the VHD. When you are ready to continue, tap or click Next.

NOTE

Only servers that are running Windows Server 2012 R2 and that have been added for management in Server Manager are listed.

4. On the Server Roles page, select File And Storage Services. Expand the related node, and select the additional role services to install. If additional features are required to install a role, you’ll see an additional dialog box. Tap or click Add Features to close the dialog box and add the required features to the server installation. When you are ready to continue, tap or click Next.

5. On the Features page, select the features you want to install. If additional functionality is required to install a feature you selected, you’ll see an additional dialog box. Tap or click Add Features to close the dialog box and add the required features to the server installation. When you are ready to continue, tap or click Next. Depending on the added feature, there might be additional steps before you get to the Confirm page.

6. On the Confirm page, tap or click the Export Configuration Settings link to generate an installation report that can be displayed in Internet Explorer.

REAL WORLD

If the server on which you want to install roles or features doesn’t have all the required binary source files, the server gets the files via Windows Update by default or from a location specified in Group Policy.

You can also specify an alternate path for the required source files. To do this, click the Specify An Alternate Source Path link, enter that alternate path in the box provided, and then tap or click OK. For network shares, enter the UNC path to the share, such as \\CorpServer25\WinServer2012R2\. For mounted Windows images, enter the WIM path prefixed with WIM: and including the index of the image to use, such as WIM:\\CorpServer25\WinServer2012R2\install.wim:4.

7. After you review the installation options and save them as necessary, tap or click Install to begin the installation process. The Installation Progress page tracks the progress of the installation. If you close the wizard, tap or click the Notifications icon in Server Manager, and then tap or click the link provided to reopen the wizard.

8. When Setup finishes installing the server with the roles and features you selected, the Installation Progress page will be updated to reflect this. Review the installation details to ensure that all phases of the installation were completed successfully.

Note any additional actions that might be required to complete the installation, such as restarting the server or performing additional installation tasks.

If any portion of the installation failed, note the reason for the failure. Review the Server Manager entries for installation problems, and take corrective actions as appropriate.

If the File Services role is already installed on a server and you want to install additional services for a file server, you can add role services to the server by using a similar process.

Adding hard drives

Before you make a hard drive available to users, you need to configure it and consider how it will be used. With Windows Server 2012 R2, you can configure hard drives in a variety of ways. The technique you choose depends primarily on the type of data with which you’re working and the needs of your network environment. For general user data stored on workstations, you might want to configure individual drives as stand-alone storage devices. In that case, user data is stored on a workstation’s hard drive, where it can be accessed and stored locally.

Although storing data on a single drive is convenient, it isn’t the most reliable way to store data. To improve reliability and performance, you might want a set of drives to work together. Windows Server 2012 R2 supports drive sets and arrays by using the redundant array of independent disks (RAID) technology, which is built into the operating system.

Physical drives

Whether you use individual drives or drive sets, you need physical drives. Physical drives are the actual hardware devices that are used to store data. The amount of data a drive can store depends on its size and whether it uses compression. Windows Server 2012 R2 supports both Standard Format and Advanced Format hard drives. Standard Format drives have 512 bytes per physical sector and are also referred to as 512b drives. Advanced Format drives have 4,096 bytes per physical sector and are also referred to as 512e drives. 512e represents a significant shift for the hard drive industry, and it allows for large, multiterabyte drives.

Disks perform physical media updates in the granularity of their physical sector size. 512b disks work with data 512 bytes at a time; 512e disks work with data 4,096 bytes at a time. At an elevated, administrator prompt, you can use the command-line utility Fsutil to determine bytes per physical sector by entering the following:

Fsutil fsinfo ntfsinfo DriveDesignator

DriveDesignator is the designator of the drive to check, such as:

Fsutil fsinfo sectorinfo c:

Having a larger physical sector size is what allows drive capacities to jump well beyond previous physical capacity limits. When there is only a 512-byte write, hard drives must perform additional work to complete the sector write. For best performance, applications must be updated to read and write data properly in this new level of granularity (4096 bytes).

Windows Server 2012 R2 supports many drive interface architectures, including

§ Small Computer System Interface (SCSI)

§ Parallel ATA (PATA), also known as IDE

§ Serial ATA (SATA)

The terms SCSI, IDE, and SATA designate the interface type used by the hard drives. The interface is used to communicate with a drive controller. SCSI drives use SCSI controllers, IDE drives use IDE controllers, and so on.

SCSI is one of the most commonly used interfaces, and there are multiple bus designs for SCSI and multiple interface types. Parallel SCSI (also called SPI) has largely been replaced by Serial Attached SCSI (SAS). Internet SCSI (iSCSI) uses the SCSI architectural model, but it uses TCP/IP as the transport rather than the traditional physical implementation.

SATA was designed to replace IDE. SATA drives are increasingly popular as a low-cost alternative to SCSI. SATA II and SATA III, the most common SATA interfaces, are designed to operate at 3 gigabits per second and 6 per second, respectively. In addition, eSATA (also known as external SATA) is meant for externally connected drives.

NOTE

Windows Server 2012 R2 features enhancements to provide improved support for SATA drives. These enhancements reduce metadata inconsistencies and enable drives to cache data more efficiently. Improved disk caching helps to protect cached data in the event of an unexpected power loss.

When setting up a new server, you should give considerable thought to the drive configuration. Start by choosing drives or storage systems that provide the appropriate level of performance. There really is a substantial difference in speed and performance among various drive specifications.

You should consider not only the capacity of the drive but also the following:

§ Rotational speed. A measurement of how fast the disk spins

§ Average seek time. A measurement of how long it takes to seek between disk tracks during sequential I/O operations

Generally speaking, when comparing drives that conform to the same specification, such as Ultra640 SCSI or SATA III, the higher the rotational speed (measured in thousands of rotations per minute) and the lower the average seek time (measured in milliseconds, or msecs), the better. As an example, a drive with a rotational speed of 15,000 RPM gives you 45–50 percent more I/O per second than the average 10,000 RPM drive, all other things being equal. A drive with a seek time of 3.5 msecs gives you a 25–30 percent response time improvement over a drive with a seek time of 4.7 msecs.

Other factors to consider include the following:

§ Maximum sustained data transfer rate. A measurement of how much data the drive can continuously transfer

§ Mean time to failure (MTTF). A measurement of how many hours of operation you can expect to get from the drive before it fails

§ Nonoperational temperatures. Measurements of the temperatures at which the drive fails

Most drives of comparable quality have similar transfer rates and MTTF. For example, if you compare enterprise SAS drives with 15,000 RPM rotational speed from different vendors, you will probably find similar transfer rates and MTTF. Transfer rates can be expressed in megabytes per second (MBps) or gigabits per second (Gbps). A rate of 1.5 Gbps is equivalent to a data rate of 187.5 MBps, and 3.0 Gbps is equivalent to 375 MBps. Sometimes you’ll get a maximum external transfer rate (per the specification to which the drive complies) and an average sustained transfer rate. The average sustained transfer rate is the most important factor.

NOTE

Don’t confuse MBps and Mbps. MBps is megabytes per second. Mbps is megabits per second. Because there are 8 bits in a byte, a 100 MBps transfer rate is equivalent to an 800 Mbps transfer rate.

Temperature is another important factor to consider when you’re selecting a drive, but it’s a factor few administrators take into account. Typically, the faster a drive rotates, the hotter it runs. This is not always the case, but it is certainly something you should consider when making your choice. For example, 15K drives tend to run hot, and you must be sure to carefully regulate temperature. Typical 15K drives can become nonoperational at temperatures of 70 degrees Centigrade or higher (as would most other drives).

Windows Server 2012 R2 adds support for disk drives with hardware encryption (referred to as encrypted hard drives). Encrypted hard drives have built-in processors that shift the encryption-decryption activities from the operating system to hardware, freeing up operating system resources. Windows Server 2012 R2 will use hardware encryption with BitLocker when available. Other security features available in Windows Server 2012 R2 include Secured Boot and Network Unlock. Secured Boot provides boot integrity by validating Boot Configuration Data (BCD) settings according to the Trusted Platform Module (TPM) validation profile settings. Network Unlock can be used to automatically unlock the operating system drive on domain-joined computers. For more information on TPM, BitLocker, Secured Boot, Network Unlock, and encrypted hard drives, see “Using TPM and BitLocker Drive Encryption” in Chapter 2 of Windows 8.1 Administration Pocket Consultant: Storage, Networking, & Security (Microsoft Press, 2013).

Preparing a physical drive for use

After you install a drive, you need to configure it for use. You configure the drive by partitioning it and creating file systems in the partitions as needed. A partition is a section of a physical drive that functions as if it were a separate unit. After you create a partition, you can create a file system in the partition.

The MBR and GPT partition styles

Two partition styles are used for disks: master boot record (MBR) and GUID partition table (GPT). The MBR contains a partition table that describes where the partitions are located on the disk. With this partition style, the first sector on a hard drive contains the master boot record and a binary code file called the master boot code that’s used to boot the system. This sector is unpartitioned and hidden from view to protect the system.

With the MBR partitioning style, disks traditionally support volumes of up to 4 terabytes (TB) and use one of two types of partitions: primary or extended. Each MBR drive can have up to four primary partitions or three primary partitions and one extended partition. Primary partitions are drive sections you can access directly for file storage. You make a primary partition accessible to users by creating a file system on it. Although you can access primary partitions directly, you can’t access extended partitions directly. Instead, you can configure extended partitions with one or more logical drives that are used to store files. Being able to divide extended partitions into logical drives allows you to divide a physical drive into more than four sections.

GPT was originally developed for high-performance, Itanium-based computers. The key difference between the GPT partition style and the MBR partition style has to do with how partition data is stored. With GPT, critical partition data is stored in the individual partitions, and redundant primary and backup partition tables are used for improved structural integrity. Additionally, GPT disks support volumes of up to 18 exabytes (1 exabyte equals 1,024 x 1,024 terabytes) and as many as 128 partitions. Although the GPT and MBR partitioning styles have underlying differences, most disk-related tasks are performed in the same way.

Legacy and protective MBRs

Most computers ship with Unified Extensible Firmware Interface (UEFI). Although UEFI is replacing BIOS and EFI as the top-level firmware interface, UEFI doesn’t replace all the functionality in either BIOS or EFI and typically is wrapped around BIOS or EFI. With respect to UEFI, GPT is the preferred partitioning scheme and a protective MBR may be located on any disk that uses the GPT disk layout. A legacy MBR and a protective MBR differ in many important ways.

A legacy MBR is located at the first logical block on a disk that is not using the GPT disk layout. The first 512 bytes on an MBR disk have the following layout:

§ The MBR begins with a 424-byte boot code, which is used to select an MBR partition record and load the first logical block of that partition. The boot code on the MBR is not executed by UEFI.

§ The boot code is followed by a 4-byte unique MBR disk signature, which can be used by the operating system to identify the disk and distinguish the disk from other disks on the system. The unique signature is written by the operating system and not used by UEFI.

§ A 2-byte separator follows the disk signature. At byte offset 446, there is an array of four MBR partition records, with each record being 16 bytes in length. Block 510 contains 0x55 and block 511 contains 0xAA. Block 512 is reserved.

The four partition records each define the first and last logical blocks that a particular partition uses on a disk:

§ Each 16-byte MBR partition record begins with a 1-byte boot indicator. For example, a value of 0x80 identifies a bootable legacy partition. Any other value indicates that this is not a bootable legacy partition. This value is not used by UEFI.

§ The boot indicator is followed by a 3-byte address identifying the start of the partition. At byte offset 4, there’s a 1-byte value that indicates the operating system type, which is followed by a 3-byte value that identifies the end of the partition. These values are not used by UEFI.

§ At byte offset 8, there is a 4-byte value indicating the first logical block of the partition, and this is followed by a 4-byte value indicating size of the partition in units of logical blocks. Both of these values are used by UEFI.

NOTE

If an MBR partition has an operating system type value of 0xEF, firmware must add the UEFI system partition GUID to the handle for the MBR partition. This allows boot applications, operating system loaders, drivers, and other lower-level tools to locate the UEFI system partition, which must physically reside on the disk.

A protective MBR may be located at the first logical block on a disk that is using the GPT disk layout. The protective MBR precedes the GUID Partition Table Header and is used to maintain compatibility with tools that do not understand GPT partition structures. The purpose of the protective MBR is to protect the GPT partitions from boot applications, operating system loaders, drivers, and other lower-level tools that don’t understand the GPT partitioning scheme. The protective MBR does this by defining a fake partition covering the entire disk. When a disk has a protective MBR, the first 512 bytes on the disk have the following layout:

§ The protective MBR begins with a 424-byte boot code, which is not executed by UEFI.

§ The boot code is followed by a 4-byte disk signature, which is set to zero and not used by UEFI.

§ A 2-byte separator follows the disk signature. This separator is set to zero and not used by UEFI.

§ At byte offset 446, there is an array of four MBR partition records, with each record being 16-bytes in length. Only the first partition record—the protective partition record—is used. The other partition records are set to zero.

§ Block 510 contains 0x55 and block 511 contains 0xAA. Block 512 is reserved.

The protective partition record reserves the entire space on the disk after the first 512 bytes for the GPT disk layout. The protective partition record begins with a 1-byte boot indicator that is set to 0x00, which indicates a non-bootable partition. The boot indicator is followed by a 3-byte address identifying the start of the partition at 0x000200, which is the first usable block on the disk.

At byte offset 4, there’s a 1-byte value set to 0xEE to indicate the operating system type as GPT Protective. This is followed by a 3-byte value that identifies the last usable block on the disk, which is the end of the partition (or 0xFFFFFF if it is not possible to represent this value).

At byte offset 8, there is a 4-byte value set to 0x00000001, which identifies the logical block address of the GPT partition header. This is followed by a 4-byte value indicating size of the disk minus one block (or 0xFFFFFFFF if the size of the disk is too large to be represented).

Disk types and file systems

In addition to a partition style, physical drives have a disk type, which is either basic or dynamic, as discussed later in the chapter in the section Working with basic, dynamic, and virtual disks. After you set the partition style and disk type for a physical drive, you can format free areas of the drive to establish logical partitions. Formatting creates a file system on a partition. Windows Server 2012 R2 supports the following file systems:

§ FAT

§ FAT32

§ exFAT

§ NTFS

§ ReFS

With FAT, the number of bits used with the file allocation table determines the variant with which you are working and the maximum volume size. FAT16, also known simply as FAT, defines its file allocation tables using 16 bits. Volumes that are 4 gigabytes (GB) or less in size are formatted with FAT16.

FAT32 defines its file allocation tables using 32 bits, and you can create FAT32 volumes that are 32 GB or less by using the Windows format tools. Although Windows can mount larger FAT32 volumes created with third-party tools, you should use NTFS for volumes larger than 32 GB.

Extended FAT is an enhanced version of FAT. Technically, exFAT could have been called FAT64 (and is called that by some). Because exFAT defines its file allocation tables by using 64 bits, it can overcome the 4-GB file-size limit and the 32-GB volume-size limit of FAT32 file systems. The exFAT format supports allocation unit sizes of up to 128 KB for volumes up to 256 TB.

NTFS volumes have a very different structure and feature set than FAT volumes. The first area of the volume is the boot sector, which stores information about the disk layout, and a bootstrap program executes at startup and boots the operating system. Instead of a file allocation table, NTFS uses a relational database called the master file table (MFT) to store information about files.

The MFT stores a file record of each file and folder on the volume, pertinent volume information, and details about the MFT itself. NTFS gives you many advanced options, including support for the Encrypting File System, compression, and the option to configure file screening and storage reporting. File screening and storage reporting are available when you add the File Server Resource Manager role service to a server as part of the File Services role.

Resilient File System (ReFS) can be thought of as the next generation of NTFS. As such, ReFS remains compatible with core NTFS features while cutting noncore features to focus relentlessly on reliability. This means disk quotas, Encrypting File System (EFS), compression, file screening, and storage reporting are not available but built-in reliability features have been added.

One of the biggest reliability features in ReFS is a data integrity scanner, also called a data scrubber. The scrubber provides proactive error identification, isolation, and correction. If the scrubber detects data corruption, a repair process is used to localize the area of corruption and perform automatic online correction. Through an automatic online salvage process, corrupted areas that cannot be repaired, such as those caused by bad blocks on the physical disk, are removed from the live volume so that they cannot adversely affect good data. Because of the automated scrubber and salvage processes, a Check Disk feature is not needed when you use ReFS (and there’s no Check Disk utility for ReFS).

NOTE

When you are working with File And Storage Services, you can group available physical disks into storage pools so that you can create virtual disks from available capacity. Each virtual disk you create is a storage space. Because only NTFS and ReFS support storage spaces, you’ll want to keep that in mind when you are formatting volumes on file servers. For more information about storage spaces, see Standards-based storage management in Chapter 2.

Using Disk Management

You use the Disk Management snap-in for the Microsoft Management Console (MMC) to configure drives. Disk Management makes it easy to work with the internal and external drives on a local or remote system. Disk Management is included as part of the Computer Management console. You can also add it to custom MMCs. In Computer Management, you can access Disk Management by expanding the Storage node, and then selecting Disk Management. Alternatively, you can enter diskmgmt.msc at the Everywhere prompt, and then press Enter.

Disk Management has three views: Disk List, Graphical View, and Volume List. With remote systems, you’re limited in the tasks you can perform with Disk Management. Remote management tasks you can perform include viewing drive details, changing drive letters and paths, and converting disk types. With removable media drives, you can also eject media remotely. To perform more advanced manipulation of remote drives, you can use the DiskPart command-line utility.

NOTE

You should be aware that if you create a partition but don’t format it, the partition is labeled as Free Space. In addition, if you haven’t assigned a portion of the disk to a partition, this section of the disk is labeled Unallocated.

In Figure 1-1, the Volume List view is in the upper-right corner, and the Graphical View is in the lower-right corner. This is the default configuration. You can change the view for the top or bottom pane as follows:

§ To change the top view, select View, choose Top, and then select the view you want to use.

§ To change the bottom view, select View, choose Bottom, and then select the view you want to use.

§ To hide the bottom view, select View, choose Bottom, and then select Hidden.

Figure 1-1. In Disk Management, the upper view provides a detailed summary of all the drives on the computer, and the lower view provides an overview of the same drives by default.

Windows Server 2012 R2 supports four types of disk configurations:

§ Basic. The standard fixed disk type. Basic disks are divided into partitions and are the original disk type for early Windows operating systems.

§ Dynamic. An enhanced fixed disk type that you can update without having to restart the operating system (in most cases). Dynamic disks are divided into volumes.

§ Removable. The standard disk type associated with removable storage devices.

§ Virtual. The virtual hard disk (VHD) disk type associated with virtualization. Computers can use VHDs just like they use regular fixed disks and can even be configured to boot from a VHD.

These disk configurations can be used with legacy storage approaches as well as standards-based storage. From the Disk Management window, you can get more detailed information on a drive section by pressing and holding or right-clicking it, and then selecting Properties. When you do this, you get a dialog box. Figure 1-2 shows the dialog boxes for two fixed disks. The one on the left uses NTFS, and the one on the right uses ReFS. Both disks have additional tabs based on the server configuration.

Figure 1-2. The General tab of the Properties dialog box provides detailed information about a drive.

If you’ve configured remote management through Server Manager and MMCs, as discussed in Chapter 2, you can use Disk Management to configure and work with disks on remote computers. Keep in mind, however, that your options are slightly different from when you are working with the disks on a local computer.

Tasks you can perform include the following:

§ Viewing limited disk properties, but not volume properties. When you are viewing disk properties, you’ll see only the General and Volumes tabs. You won’t be able to see volume properties.

§ Changing drive letters and mount paths.

§ Formatting, shrinking, and extending volumes. With mirrored, spanned, and striped volumes, you are able to add and configure related options.

§ Deleting volumes (except for system and boot volumes).

§ Creating, attaching, and detaching VHDs. When you create and attach VHDs, you need to enter the full file path and won’t be able to browse for the .vhd file.

Some tasks you perform with disks and volumes depend on the Plug and Play and Remote Registry services.

Using removable storage devices

Removable storage devices can be formatted with ReFS, NTFS, FAT, FAT32, or exFAT. You connect external storage devices to a computer rather than installing them inside the computer. This makes external storage devices easier and faster to install than most fixed disk drives. Most external storage devices have either a USB or a FireWire interface. When working with USB and FireWire, the transfer speed and overall performance of the device from a user’s perspective depends primarily on the version supported. Currently, several versions of USB and FireWire are used.

USB 2.0 is the current industry standard until the world transitions to USB 3.0. USB 2.0 devices can be rated as either full speed (up to 12 Mbps) or high speed (up to 480 Mbps). Although high-speed USB 2.0 supports data transfers at a maximum rate of 480 Mbps, sustained data-transfer rates are usually 10–30 Mbps. The actual sustainable transfer rate depends on many factors, including the type of device, the data you are transferring, and the speed of a computer. Each USB controller on a computer has a fixed amount of bandwidth, which all devices attached to the controller must share. The data transfer rates are significantly slower if a computer’s USB port is an earlier version than the device you are using. For example, if you connect a USB 3.0 device to a USB 2.0 port or vice versa, the device operates at the significantly reduced USB 2.0 transfer speed.

USB 1.0, 1.1, and 2.0 ports all look alike; however, most USB 3.0 ports I’ve seen have a special color to differentiate them. Still, the best way to determine which type of USB ports a computer has is to refer to the documentation that comes with the computer. Newer monitors have USB 2.0 ports to which you can connect devices as well. When you have USB devices connected to a monitor, the monitor acts like a USB hub device. As with any USB hub device, all devices attached to the hub share the same bandwidth, and the total available bandwidth is determined by the speed of the USB input to which the hub is connected on a computer.

FireWire (IEEE 1394) is a high-performance connection standard that uses a peer-to-peer architecture in which peripherals negotiate bus conflicts to determine which device can best control a data transfer. Like USB, several versions of FireWire are currently used. FireWire 400 (IEEE 1394a) has maximum sustained transfer rates of up to 400 Mbps. IEEE 1394b allows 400 Mbps (S400), 800 Mbps (S800), and 1600 Mbps (S1600). As with USB devices, if you connect an IEEE 1394b device to an IEEE 1394a port or vice versa, the device operates at the significantly reduced FireWire 400 transfer speed.

As with USB ports, the sustained transfer rate for IEEE 1394a and IEEE 1394b ports will be considerably less than the maximum rate possible. IEEE 1394a and IEEE 1394b ports and cables have different shapes, making it easier to tell the difference between them—if you know what you’re looking for. FireWire 400 cables without bus power have four pins and four connectors. FireWire 400 cables with bus power have six pins and six connectors. FireWire 800 and FireWire 1600 cables always have bus power and have nine pins and nine connectors.

Another option is external SATA (eSATA), which is available on newer computers and is an ultra-high-performance connection for data transfer to and from external mass storage devices. eSATA operates at speeds up to 6 Gbps. If your computer doesn’t come with eSATA ports, you can add support for eSATA devices by installing an eSATA controller card.

When you are purchasing an external device for a computer, you’ll also want to consider what interfaces it supports. In some cases, you might be able to get a device with more than one interface, such as one that supports USB 3.0 and eSATA. A device with multiple interfaces gives you more options.

Working with removable disks is similar to working with fixed disks. You can do the following:

§ Press and hold or right-click a removable disk, and then select Open or Explore to examine the disk’s contents in File Explorer.

§ Press and hold or right-click a removable disk, and then select Format to format a removable disk as discussed in Formatting partitions later in this chapter. Removable disks generally are formatted with a single partition.

§ Press and hold or right-click a removable disk, and then select Properties to view or set properties. On the General tab of the Properties dialog box, you can set the volume label as discussed in Changing or deleting the volume label in Chapter 2.

When you work with removable disks, you can customize disk and folder views. To do this, press and hold or right-click the disk or folder, select Properties, and then tap or click the Customize tab. You can then specify the default folder type to control the default details displayed. For example, you can set the default folder type as Documents or Pictures And Videos. You can also set folder pictures and folder icons.

Removable disks support network file and folder sharing. You configure sharing on removable disks in the same way you configure standard file sharing. You can assign share permissions, configure caching options for offline file use, and limit the number of simultaneous users. You can share an entire removable disk as well as individual folders stored on the removable disk. You can also create multiple share instances.

Removable disks differ from standard NTFS sharing in that they don’t necessarily have an underlying security architecture. With exFAT, FAT, or FAT32, folders and files stored on a removable disk do not have any security permissions or features other than the basic read-only or hidden attribute flags that you can set.

Installing and checking for a new drive

Hot swapping is a feature that allows you to remove internal devices without shutting off the computer. Typically, hot-swappable internal drives are installed and removed from the front of the computer. If your computer supports hot swapping of internal drives, you can install drives without having to shut down. After you have installed a new drive, open Disk Management, and then choose Rescan Disks from the Action menu. New disks that are found are added with the appropriate disk type. If a disk that you’ve added isn’t found, restart the computer.

If the computer doesn’t support hot swapping of internal drives, you must turn the computer off and then install the new drives. Then you can scan for new disks as described previously. If you are working with new disks that have not been initialized —meaning they don’t have disk signatures—Disk Management will start the Initialize Disk dialog box as soon it starts up and detects the new disks.

You can initialize the disks by following these steps:

1. Each disk you install needs to be initialized. Select the disk or disks you installed.

2. Disks can use either the MBR or GPT partition style. Select the partition style you want to use for the disk or disks you are initializing.

3. Tap or click OK. If you elected to initialize disks, Windows writes a disk signature to the disks and initializes the disks with the basic disk type.

If you don’t want to use the Initialize Disk dialog box, you can close it and use Disk Management instead to view and work with the disk. In the Disk List view, the disk is marked with a red downward-pointing arrow icon, the disk’s type is listed as Unknown, and the disk’s status is listed as Not Initialized. Press and hold or right-click the disk’s icon and select Online. Press and hold or right-click the disk’s icon again, and select Initialize Disk. You can then initialize the disk as discussed previously.

NOTE

At an elevated, administrator Windows PowerShell prompt, you can use Get-Disk to list available disks and Initialize-Disk to initialize new disks.

Understanding drive status

Knowing the status of a drive is useful when you install new drives or troubleshoot drive problems. Disk Management shows the drive status in Graphical View and Volume List view. Table 1-2 summarizes the most common status values.

Table 1-2. Common drive status values

Working with basic, dynamic, and virtual disks

Windows Server 2012 R2 supports basic, dynamic, and virtual disk configurations. This section discusses techniques for working with each disk configuration type.

Using basic and dynamic disks

Basic, dynamic, and virtual disk configurations can be used with both legacy storage approaches and standards-based storage. Normally, Windows Server 2012 R2 disk partitions are initialized as basic disks. The exception is when you want to use software-based RAID instead of standards-based storage.

With software-based RAID, you can’t create new fault-tolerant drive sets by using the basic disk type. You need to convert to dynamic disks and then create volumes that use striping, mirroring, or striping with parity (referred to as RAID 0, 1, and 5, respectively). The fault-tolerant features and the ability to modify disks without having to restart the computer are the key capabilities that distinguish dynamic disks from basic disks. Other features available on a disk depend on the disk formatting.

You can use both basic and dynamic disks on the same computer; however, volume sets must use the same disk type and partitioning style. For example, if you want to mirror drives C and D, both drives must have the dynamic disk type and use the same partitioning style, which can be either MBR or GPT. Note that Disk Management allows you to start many disk configuration tasks regardless of whether the disks with which you are working use the dynamic disk type. The catch is that during the configuration process, Disk Management will convert the disks to the dynamic disk type. To learn how to convert a disk from basic to dynamic, see Changing drive types on the next page.

You can perform different disk configuration tasks with basic and dynamic disks. With basic disks, you can do the following:

§ Format partitions, and mark them as active

§ Create and delete primary and extended partitions

§ Create and delete logical drives within extended partitions

§ Convert from a basic disk to a dynamic disk

With dynamic disks, you can do the following:

§ Create and delete simple, striped, spanned, mirrored, and RAID-5 volumes

§ Remove a mirror from a mirrored volume

§ Extend simple or spanned volumes

§ Split a volume into two volumes

§ Repair mirrored or RAID-5 volumes

§ Reactivate a missing or offline disk

§ Revert to a basic disk from a dynamic disk (requires deleting volumes and restoring from backup)

With either disk type, you can do the following:

§ View properties of disks, partitions, and volumes

§ Make drive-letter assignments

§ Configure security and drive sharing

§ Use Storage Spaces to implement standards-based storage

Special considerations for basic and dynamic disks

Whether you’re working with basic or dynamic disks, you need to keep in mind five special types of drive sections:

§ Active. The active partition or volume is the drive section for system caching and startup. Some devices with removable storage might be listed as having an active partition.

§ Boot. The boot partition or volume contains the operating system and its support files. The system and boot partition or volume can be the same.

§ Crash dump. The partition to which the computer attempts to write dump files in the event of a system crash. By default, dump files are written to the %SystemRoot% folder, but they can be located on any partition or volume.

§ Page file. A partition containing a paging file used by the operating system. Because a computer can page memory to multiple disks, according to the way virtual memory is configured, a computer can have multiple page file partitions or volumes.

§ System. The system partition or volume contains the hardware-specific files needed to load the operating system. The system partition or volume can’t be part of a striped or spanned volume.

REAL WORLD

GPT is becoming the primary disk type for Windows Server. With Windows Server 2012 R2, a typical new disk has the GPT partition style with a recovery partition and an EFI system partition.

NOTE

You can mark a partition as active by using Disk Management. In Disk Management, press and hold or right-click the primary partition you want to mark as active, and then tap or click Mark Partition As Active. You can’t mark dynamic disk volumes as active. When you convert a basic disk containing the active partition to a dynamic disk, this partition becomes a simple volume that’s active automatically.

Changing drive types

You can use dynamic disks with any current version of Windows and many other operating systems, including most UNIX variants. However, keep in mind that you need to create a separate volume for any operating system not based on Windows.

You can’t use dynamic disks on portable computers. When you are working with non-portable computers and servers, you only can use dynamic disks with drives connected to internal controllers (as well as some eSATA controllers). Although you can’t use dynamic disks with portable or removable drives on these computers, you can connect such a drive to an internal controller or a recognized eSATA controller, and then use Disk Management to import the drive.

Windows Server 2012 R2 provides the tools you need to convert a basic disk to a dynamic disk and to change a dynamic disk back to a basic disk. When you convert to a dynamic disk, partitions are changed to volumes of the appropriate type automatically. You can’t change these volumes back to partitions. Instead, you must delete the volumes on the dynamic disk, and then change the disk back to a basic disk. Deleting the volumes destroys all the information on the disk.

Converting a basic disk to a dynamic disk

Before you convert a basic disk to a dynamic disk, you should make sure that you don’t need to boot the computer to an operating system that doesn’t support dynamic disks. With MBR disks, you should also make sure that the disk has 1 MB of free space at the end of the disk. Although Disk Management reserves this free space when creating partitions and volumes, disk management tools on other operating systems might not. Without the free space at the end of the disk, the conversion will fail.

With GPT disks, you must have contiguous, recognized data partitions. If the GPT disk contains partitions that Windows doesn’t recognize, such as those created by another operating system, you can’t convert to a dynamic disk.

With either type of disk, the following holds true:

§ There must be at least 1 MB of free space at the end of the disk. Disk Management reserves this free space automatically, but other disk management tools might not.

§ You can’t use dynamic disks on portable computers or with removable media. You can configure these drives only as basic drives with primary partitions.

§ You shouldn’t convert a disk if it contains multiple installations of the Windows operating system. If you do, you might be able to start the computer only by using the installation which did the conversion.

To convert a basic disk to a dynamic disk, follow these steps:

1. In Disk Management, press and hold or right-click a basic disk that you want to convert, either in the Disk List view or in the left pane of the Graphical View. Then tap or click Convert To Dynamic Disk.

2. In the Convert To Dynamic Disk dialog box, select the check boxes for the disks you want to convert. Tap or click OK to continue. This displays the Disks To Convert dialog box, which shows the disks you’re converting.

The buttons and columns in this dialog box contain the following information:

o Name. Shows the disk number.

o Disk Contents. Shows the type and status of partitions, such as boot, active, or in use.

o Will Convert. Specifies whether the drive will be converted. If the drive doesn’t meet the criteria, it won’t be converted, and you might need to take corrective action, as described previously.

o Details. Shows the volumes on the selected drive.

o Convert. Starts the conversion.

3. To begin the conversion, tap or click Convert. Disk Management warns you that after the conversion is complete, you won’t be able to start previous versions of Windows from volumes on the selected disks. Tap or click Yes to continue.

4. Disk Management restarts the computer if a selected drive contains the boot partition, system partition, or a partition in use.

Changing a dynamic disk back to a basic disk

Before you can change a dynamic disk back to a basic disk, you must delete all dynamic volumes on the disk. After you do this, press and hold or right-click the disk and select Convert To Basic Disk to change the dynamic disk to a basic disk. You can then create new partitions and logical drives on the disk.

Reactivating dynamic disks

If the status of a dynamic disk is Online (Errors) or Offline, you can often reactivate the disk to correct the problem. You reactivate a disk by following these steps:

1. In Disk Management, press and hold or right-click the dynamic disk you want to reactivate, and then tap or click Reactivate Disk. Confirm the action when prompted.

2. If the drive status doesn’t change, you might need to reboot the computer. If this still doesn’t resolve the problem, check for problems with the drive, its controller, and the cables. Also make sure that the drive has power and is connected properly.

Rescanning disks

Rescanning all drives on a system updates the drive configuration information on the computer. Rescanning can sometimes resolve a problem with drives that show a status of Unreadable. You rescan disks on a computer by choosing Rescan Disks from the Action menu in Disk Management.

Moving a dynamic disk to a new system

An important advantage of dynamic disks over basic disks is that you can easily move dynamic disks from one computer to another. For example, if after setting up a computer you decide that you don’t really need an additional hard drive, you can move it to another computer where it can be better used.

Windows Server 2012 R2 greatly simplifies the task of moving disks to a new system. Before moving disks, you should follow these steps:

1. Open Disk Management on the system where the dynamic disks are currently installed. Check the status of the disks, and ensure that they’re marked as Healthy. If the status isn’t Healthy, you should repair partitions and volumes before you move the disks.

NOTE

Drives with BitLocker Drive Encryption cannot be moved by using this technique. BitLocker Drive Encryption wraps drives in a protected seal so that any offline tampering is detected and results in the disk being unavailable until an administrator unlocks it.

2. Check the hard drive subsystems on the original computer and the computer to which you want to transfer the disk. Both computers should have identical hard drive subsystems. If they don’t, the Plug and Play ID on the system drive from the original computer won’t match what the destination computer is expecting. As a result, the destination computer won’t be able to load the right drivers, and the boot attempt might fail.

3. Check whether any dynamic disks you want to move are part of a spanned, extended, or striped set. If they are, you should make a note of which disks are part of which set and plan on moving all disks in a set together. If you are moving only part of a disk set, you should be aware of the consequences. For spanned, extended, or striped volumes, moving only part of the set will make the related volumes unusable on the current computer and on the computer to which you are planning to move the disks.

When you are ready to move the disks, follow these steps:

1. On the original computer, start Computer Management. Then, in the left pane, select Device Manager. In the Device list, expand Disk Drives. This shows a list of the physical disk drives on the computer. Press and hold or right-click each disk you want to move, and then tap or click Uninstall. If you are unsure which disks to uninstall, press and hold or right-click each disk and tap or click Properties. In the Properties dialog box, tap or click the Volumes tab and then select Populate to show the volumes on the selected disk.

2. Next, on the original computer, select the Disk Management node in Computer Management. If the disk or disks you want to move are still listed, press and hold or right-click each disk, and then tap or click Remove Disk.

3. After you perform these procedures, you can move the dynamic disks. If the disks are hot-swappable disks and this feature is supported on both computers, remove the disks from the original computer, and then install them on the destination computer. Otherwise, turn off both computers, remove the drives from the original computer, and then install them on the destination computer. When you have finished, restart the computers.

4. On the destination computer, access Disk Management, and then choose Rescan Disks from the Action menu. When Disk Management finishes scanning the disks, press and hold or right-click any disk marked Foreign, and then tap or click Import. You should now be able to access the disks and their volumes on the destination computer.

NOTE

In most cases, the volumes on the dynamic disks should retain the drive letters they had on the original computer. However, if a drive letter is already used on the destination computer, a volume receives the next available drive letter. If a dynamic volume previously did not have a drive letter, it does not receive a drive letter when moved to the destination computer. Additionally, if automounting is disabled, the volumes aren’t automatically mounted, and you must manually mount volumes and assign drive letters.

Managing virtual hard disks

By using Disk Management, you can create, attach, and detach VHDs. You can create a VHD by choosing Create VHD from the Action menu. In the Create And Attach Virtual Hard Disk dialog box, tap or click Browse. Use the Browse Virtual Disk Files dialog box to select the location where you want to create the .vhd file for the VHD, and then tap or click Save.

In the Virtual Hard Disk Size list, enter the size of the disk in megabytes, gigabytes, or terabytes. Specify whether the size of the VHD dynamically expands to its fixed maximum size as data is saved to it or instead uses a fixed amount of space regardless of the amount of data stored on it. When you tap or click OK, Disk Management creates the VHD.

The VHD is attached automatically and added as a new disk. To initialize the disk for use, press and hold or right-click the disk entry in Graphical View, and then tap or click Initialize Disk. In the Initialize Disk dialog box, the disk is selected for initialization. Specify the disk type as MBR or GPT, and then tap or click OK.

After initializing the disk, press and hold or right-click the unpartitioned space on the disk and create a volume of the appropriate type. After you create the volume, the VHD is available for use.

After you’ve created, attached, initialized, and formatted a VHD, you can work with a virtual disk in much the same way as you work with other disks. You can write data to and read data from a VHD. You can boot the computer from a VHD. You are able to take a VHD offline or put a VHD online by pressing and holding or right-clicking the disk entry in Graphical View and selecting Offline or Online, respectively. If you no longer want to use a VHD, you can detach it by pressing and holding or right-clicking the disk entry in Graphical View, selecting Detach VHD, and then tapping or clicking OK in the Detach Virtual Hard Disk dialog box.

You can use VHDs created with other programs as well. If you created a VHD using another program or have a detached VHD you want to attach, you can work with the VHD by completing the following steps:

1. In Disk Management, tap or click the Attach VHD option on the Action menu.

2. In the Attach Virtual Hard Disk dialog box, tap or click Browse. Use the Browse Virtual Disk Files dialog box to select the .vhd file for the VHD, and then tap or click Open.

3. If you want to attach the VHD in read-only mode, select Read-Only. Tap or click OK to attach the VHD.

Using basic disks and partitions

When you install a new computer or update an existing computer, you often need to partition the drives on the computer. You partition drives by using Disk Management.

Partitioning basics

In Windows Server 2012 R2, a physical drive using the MBR partition style can have up to four primary partitions and one extended partition. This allows you to configure MBR drives in one of two ways: by using one to four primary partitions, or by using one to three primary partitions and one extended partition. A primary partition can fill an entire disk, or you can size it as appropriate for the workstation or server you’re configuring. Within an extended partition, you can create one or more logical drives. A logical drive is simply a section of a partition with its own file system. Generally, you use logical drives to divide a large drive into manageable sections. With this in mind, you might want to divide a 600-GB extended partition into three logical drives of 200 GB each. Physical disks with the GPT partition style can have up to 128 partitions.

After you partition a drive, you format the partitions. This is high-level formatting that creates the file system structure rather than low-level formatting that sets up the drive for initial use. You’re probably very familiar with the C drive used by Windows Server 2012 R2. Well, the C drive is simply the designator for a disk partition. If you partition a disk into multiple sections, each section can have its own drive letter. You use the drive letters to access file systems in various partitions on a physical drive. Unlike MS-DOS, which assigns drive letters automatically starting with the letter C, Windows Server 2012 R2 lets you specify drive letters. Generally, the drive letters C through Z are available for your use.

NOTE

The drive letter A used to be assigned to a system’s floppy disk drive. If the system had a second floppy disk drive, the letter B was assigned to it, so you could use only the letters C through Z. Don’t forget that DVD drives and other types of media drives need drive letters as well. The total number of drive letters you can use at one time is 24. If you need additional volumes, you can create them by using drive paths.

By using drive letters, you can have only 24 active volumes. To get around this limitation, you can mount disks to drive paths. A drive path is set as a folder location on another drive. For example, you might mount additional drives as E:\Data1, E:\Data2, and E:\Data3. You can use drive paths with basic and dynamic disks. The only restriction for drive paths is that you mount them on empty folders that are on NTFS drives.

To help you differentiate between primary partitions and extended partitions with logical drives, Disk Management color codes the partitions. For example, primary partitions might be color coded with a dark-blue band and logical drives in extended partitions might be color coded with a light-blue band. The key for the color scheme is shown at the bottom of the Disk Management window. You can change the colors in the Settings dialog box by choosing Settings from the View menu.

Creating partitions and simple volumes

Windows Server 2012 R2 simplifies the Disk Management user interface by using one set of dialog boxes and wizards for both partitions and volumes. The first three volumes on a basic drive are created automatically as primary partitions. If you try to create a fourth volume on a basic drive, the remaining free space on the drive is converted automatically to an extended partition with a logical drive of the size you designate by using the new volume feature in the extended partition. Any subsequent volumes are created in the extended partitions as logical drives automatically.

In Disk Management, you create partitions, logical drives, and simple volumes by following these steps:

1. In Disk Management’s Graphical View, press and hold or right-click an unallocated or free area, and then tap or click New Simple Volume. This starts the New Simple Volume Wizard. Read the Welcome page, and then tap or click Next.

2. The Specify Volume Size page in the New Simple Volume Wizard, shown in Figure 1-3, specifies the minimum and maximum size for the volume in megabytes and lets you size the volume within these limits. Size the partition in megabytes in the Simple Volume Size In MB box, and then tap or click Next.

Figure 1-3. Set the size of the volume on the Specify Volume Size page in the New Simple Volume Wizard.

3. On the Assign Drive Letter Or Path page, shown in Figure 1-4, specify whether you want to assign a drive letter or path, and then tap or click Next. The following options are available:

o Assign The Following Drive Letter. Choose this option to assign a drive letter. Then select an available drive letter in the list provided. By default, Windows Server 2012 R2 selects the lowest available drive letter and excludes reserved drive letters as well as those assigned to local disks or network drives.

o Mount In The Following Empty NTFS Folder. Choose this option to mount the partition in an empty NTFS folder. You must then type the path to an existing folder or tap or click Browse to search for or create a folder to use.

o Do Not Assign A Drive Letter Or Drive Path. Choose this option if you want to create the partition without assigning a drive letter or path. If you later want the partition to be available for storage, you can assign a drive letter or path at that time.

NOTE

You don’t have to assign volumes a drive letter or a path. A volume with no designators is considered to be unmounted and is for the most part unusable. An unmounted volume can be mounted by assigning a drive letter or a path at a later date. See Assigning drive letters and paths in Chapter 2.

Figure 1-4. On the Assign Drive Letter Or Path page, assign the drive designator or choose to wait until later.

4. On the Format Partition page, shown in Figure 1-5, determine whether and how the volume should be formatted. If you want to format the volume, select Format This Volume With The Following Settings, and then configure the following options:

o File System. Sets the file system type as FAT, FAT32, exFAT, NTFS, or ReFS. The file system types available depend on the size of the volume you are formatting. If you use FAT32, you can later convert to NTFS with the Convert utility. You can’t, however, convert NTFS partitions to FAT32.

o Allocation Unit Size. Sets the cluster size for the file system. This is the basic unit in which disk space is allocated. The default allocation unit size is based on the size of the volume and is set dynamically prior to formatting by default. To override this feature, you can set the allocation unit size to a specific value. If you use many small files, you might want to use a smaller cluster size, such as 512 or 1,024 bytes. With these settings, small files use less disk space. Note that ReFS volumes have a fixed allocation unit size.

o Volume Label. Sets a text label for the partition. This label is the partition’s volume name and is set to New Volume by default. You can change the volume label at any time by pressing and holding or right-clicking the volume in File Explorer, tapping or clicking Properties, and typing a new value in the Label box provided on the General tab.

o Perform A Quick Format. Tells Windows Server 2012 R2 to format without checking the partition for errors. With large partitions, this option can save you a few minutes. However, it’s usually better to check for errors, which enables Disk Management to mark bad sectors on the disk and lock them out.

o Enable File And Folder Compression. Turns on compression for the disk. Built-in compression is available only for NTFS (and is not supported for FAT, FAT32, exFAT, or ReFS). Under NTFS, compression is transparent to users and compressed files can be accessed just like regular files. If you select this option, files and directories on this drive are compressed automatically. For more information on compressing drives, files, and directories, see Compressing drives and data later in this chapter.

Figure 1-5. Set the formatting options for the partition on the Format Partition page.

Formatting partitions

Formatting creates a file system on a partition and permanently deletes any existing data. This is high-level formatting that creates the file system structure rather than low-level formatting that initializes a drive for use. To format a partition, press and hold or right-click the partition, and then tap or click Format. This opens the Format dialog box, shown in Figure 1-6.

Figure 1-6. Format a partition in the Format dialog box by specifying its file system type and volume label.

You use the formatting options as follows:

§ Volume Label. Specifies a text label for the partition. This label is the partition’s volume name.

§ File System. Specifies the file system type as FAT, FAT32, exFAT, NTFS, or ReFS. The file system types available depend on the size of the volume you are formatting.

§ Allocation Unit Size. Specifies the cluster size for the file system. This is the basic unit in which disk space is allocated. The default allocation unit size is based on the size of the volume and is set dynamically prior to formatting. To override this feature, you can set the allocation unit size to a specific value. If you use lots of small files, you might want to use a smaller cluster size, such as 512 or 1,024 bytes. With these settings, small files use less disk space.

§ Perform A Quick Format. Tells Windows Server 2012 R2 to format without checking the partition for errors. With large partitions, this option can save you a few minutes. However, it’s more prudent to check for errors, which allows Disk Management to mark bad sectors on the disk and lock them out.

When you’re ready to proceed, tap or click OK. Because formatting a partition destroys any existing data, Disk Management gives you one last chance to cancel the procedure. Tap or click OK to start formatting the partition. Disk Management changes the drive’s status to reflect the formatting and the percentage of completion. When formatting is complete, the drive status changes to reflect this.

Compressing drives and data

When you format a drive for NTFS, Windows Server 2012 R2 allows you to turn on the built-in compression feature. With compression, all files and directories stored on a drive are automatically compressed when they’re created. Because this compression is transparent to users, compressed data can be accessed just like regular data. The difference is that you can store more information on a compressed drive than you can on an uncompressed drive.

IMPORTANT

File Explorer shows the names of compressed resources in blue. It’s also important to point out that ReFS does not support NTFS compression.

REAL WORLD

Although compression is certainly a useful feature when you want to save disk space, you can’t encrypt compressed data. Compression and encryption are mutually exclusive alternatives for NTFS volumes, which means you have the choice of using compression or using encryption. You can’t use both techniques. For more information on encryption, see Encrypting drives and data later in this chapter. If you try to compress encrypted data, Windows Server 2012 R2 automatically decrypts the data, and then compresses it. Likewise, if you try to encrypt compressed data, Windows Server 2012 R2 uncompresses the data, and then encrypts it.

Compressing drives

To compress a drive and all its contents, follow these steps:

1. In File Explorer or Disk Management, press and hold or right-click the drive you want to compress, and then tap or click Properties.

2. On the General tab, select Compress Drive To Save Disk Space, and then tap or click OK.

3. In the Confirm Attribute Changes dialog box, select whether to apply the changes to subfolders and files, and then tap or click OK.

Compressing directories and files

If you decide not to compress a drive, Windows Server 2012 R2 lets you selectively compress directories and files. To compress a file or directory, follow these steps:

1. In File Explorer, press and hold or right-click the file or directory you want to compress, and then tap or click Properties.

2. On the General tab of the Properties dialog box, tap or click Advanced. In the Advanced Attributes dialog box, select the Compress Contents To Save Disk Space check box. Tap or click OK twice.

For an individual file, Windows Server marks the file as compressed, and then compresses it. For a directory, Windows Server marks the directory as compressed and then compresses all the files in it. If the directory contains subfolders, Windows Server displays a dialog box that allows you to compress all the subfolders associated with the directory. Simply select Apply Changes To This Folder, Subfolders, And Files, and then tap or click OK. After you compress a directory, any new files added or copied to the directory are compressed automatically.

NOTE

If you move an uncompressed file from a different drive, the file is compressed. However, if you move an uncompressed file to a compressed folder on the same NTFS drive, the file isn’t compressed. Note also that you can’t encrypt compressed files.

Expanding compressed drives

File Explorer shows the names of compressed files and folders in blue. You can remove compression from a drive by following these steps:

1. In File Explorer or Disk Management, press and hold or right-click the drive that contains the data you want to expand, and then tap or click Properties.

2. Clear the Compress Drive To Save Disk Space check box, and then tap or click OK.

3. In the Confirm Attribute Changes dialog box, select whether to apply the change to subfolders and files, and then tap or click OK.

TIP

Windows always checks the available disk space before expanding compressed data. You should, too. If less free space is available than used space, you might not be able to complete the expansion. For example, if a compressed drive uses 150 GB of space and has 70 GB of free space available, you won’t have enough free space to expand the data. Generally, you need about 1.5 to 2 times as much free space as you have compressed data.

Expanding compressed directories and files

If you decide that you want to expand a compressed file or directory, follow these steps:

1. Press and hold or right-click the file or directory in File Explorer, and then tap or click Properties.

2. On the General tab of the Properties dialog box, tap or click Advanced. Clear the Compress Contents To Save Disk Space check box. Tap or click OK twice.

With files, Windows Server removes compression and expands the file. With directories, Windows Server expands all the files within the directory. If the directory contains subfolders, you also have the opportunity to remove compression from the subfolders. To do this, select Apply Changes To This Folder, Subfolders, And Files when prompted, and then tap or click OK.

TIP

Windows Server also provides command-line utilities for compressing and uncompressing data. The compression utility is called Compact (Compact.exe). The uncompression utility is called Expand (Expand.exe).

Encrypting drives and data

NTFS has many advantages over other file systems you can use with Windows Server. One advantage is the capability to automatically encrypt and decrypt data by using the Encrypting File System (EFS). When you encrypt data, you add an extra layer of protection to sensitive data, and this extra layer acts as a security blanket blocking all other users from reading the contents of the encrypted files. Indeed, one of the great benefits of encryption is that only the designated user can access the data. This benefit is also a disadvantage in that the user must remove encryption before authorized users can access the data.

NOTE

As discussed previously, you can’t compress encrypted files. The encryption and compression features of NTFS are mutually exclusive. You can use one feature or the other, but not both. Note also that ReFS doesn’t support this type of encryption.

Understanding encryption and the encrypting file system

File encryption is supported on a per-folder or per-file basis. Any file placed in a folder marked for encryption is automatically encrypted. Files in encrypted format can be read only by the person who encrypted the file. Before other users can read an encrypted file, the user must decrypt the file or grant special access to the file by adding a user’s encryption key to the file.

Every encrypted file has the unique encryption key of the user who created the file or currently has ownership of the file. An encrypted file can be copied, moved, backed up, restored, or renamed just like any other file, and in most cases these actions don’t affect the encryption of the data. (For details, see Working with encrypted files and folders later in this chapter.) The user who encrypts a file always has access to the file, provided that the user’s public-key certificate is available on the computer that she is using. For this user, the encryption and decryption process is handled automatically and is transparent.

EFS is the process that handles encryption and decryption. The default setup for EFS allows users to encrypt files without needing special permission. Files are encrypted by using a public/private key that EFS automatically generates on a per-user basis.

Encryption certificates are stored as part of the data in user profiles. If a user works with multiple computers and wants to use encryption, an administrator needs to configure a roaming profile for that user. A roaming profile ensures that the user’s profile data and public-key certificates are accessible from other computers. Without this, users won’t be able to access their encrypted files on another computer.

SECURITY ALERT

An alternative to a roaming profile is to copy the user’s encryption certificate to the computers that the user uses. You can do this by using the certificate backup and restore process discussed in Backing up and restoring the system state in Chapter 11. Simply back up the certificate on the user’s original computer, and then restore the certificate on each of the other computers the user logs on to.

EFS has a built-in data recovery system to guard against data loss. This recovery system ensures that encrypted data can be recovered if a user’s public-key certificate is lost or deleted. The most common scenario for this is when a user leaves the company and the associated user account is deleted. A manager might have been able to log on to the user’s account, check files, and save important files to other folders, but if the user account has been deleted, encrypted files will be accessible only if the encryption is removed or if the files are moved to an exFAT, FAT, or FAT32 volume (where encryption isn’t supported).

To access encrypted files after the user account has been deleted, you need to use a recovery agent. Recovery agents have access to the file encryption key necessary to unlock data in encrypted files. To protect sensitive data, however, recovery agents don’t have access to a user’s private key or any private key information.

Windows Server won’t encrypt files without designated EFS recovery agents. Therefore, recovery agents are designated automatically, and the necessary recovery certificates are generated automatically as well. This ensures that encrypted files can always be recovered.

EFS recovery agents are configured at two levels:

§ Domain. The recovery agent for a domain is configured automatically when the first Windows Server domain controller is installed. By default, the recovery agent is the domain administrator. Through Group Policy, domain administrators can designate additional recovery agents. Domain administrators can also delegate recovery agent privileges to designated security administrators.

§ Local computer. When a computer is part of a workgroup or in a standalone configuration, the recovery agent is the administrator of the local computer by default. Additional recovery agents can be designated. Further, if you want local recovery agents in a domain environment rather than domain-level recovery agents, you must delete the recovery policy from Group Policy for the domain.

You can delete recovery agents if you don’t want them to be used. However, if you delete all recovery agents, EFS will no longer encrypt files. One or more recovery agents must be configured for EFS to function.

Encrypting directories and files

With NTFS volumes, Windows Server lets you select files and folders for encryption. When a file is encrypted, the file data is converted to an encrypted format that can be read only by the person who encrypted the file. Users can encrypt files only if they have the proper access permissions. When you encrypt folders, the folder is marked as encrypted, but only the files within it are actually encrypted. All files that are created in or added to a folder marked as encrypted are encrypted automatically. Note that File Explorer shows names of encrypted resources in green.

To encrypt a file or directory, follow these steps:

1. In File Explorer, press and hold or right-click the file or directory you want to encrypt, and then tap or click Properties.

2. On the General tab of the Properties dialog box, tap or click Advanced, and then select the Encrypt Contents To Secure Data check box. Tap or click OK twice.

NOTE

You can’t encrypt compressed files, system files, or read-only files. If you try to encrypt compressed files, the files are automatically uncompressed and then encrypted. If you try to encrypt system files, you get an error.

For an individual file, Windows Server marks the file as encrypted, and then encrypts it. For a directory, Windows Server marks the directory as encrypted, and then encrypts all the files in it. If the directory contains subfolders, Windows Server displays a dialog box that allows you to encrypt all the subfolders associated with the directory. Simply select Apply Changes To This Folder, Subfolders, And Files, and then tap or click OK.

NOTE

On NTFS volumes, files remain encrypted even when they’re moved, copied, or renamed. If you copy or move an encrypted file to an exFAT, FAT, or FAT32 volume, the file is automatically decrypted before being copied or moved. Thus, you must have proper permissions to copy or move the file.

You can grant special access to an encrypted file or folder by pressing and holding or right-clicking the file or folder in File Explorer, and then selecting Properties. On the General tab of the Properties dialog box, tap or click Advanced. In the Advanced Attributes dialog box, tap or click Details. In the Encryption Details For dialog box, users who have access to the encrypted file are listed by name. To allow another user access to the file, tap or click Add. If a user certificate is available for the user, select the user’s name in the list provided, and then tap or click OK. Otherwise, tap or click Find User to locate the certificate for the user.

Working with encrypted files and folders

Previously, I said you can copy, move, and rename encrypted files and folders just like any other files. This is true, but I qualified this by saying “in most cases.” When you work with encrypted files, you’ll have few problems as long as you work with NTFS volumes on the same computer. When you work with other file systems or other computers, you might run into problems. Two of the most common scenarios are the following:

§ Copying between volumes on the same computer. When you copy or move an encrypted file or folder from one NTFS volume to another NTFS volume on the same computer, the files remain encrypted. However, if you copy or move encrypted files to a FAT volume, the files are decrypted before transfer and then transferred as standard files, and therefore end up in their destination as unencrypted files. FAT doesn’t support encryption.

§ Copying between volumes on a different computer. When you copy or move an encrypted file or folder from one NTFS volume to another NTFS volume on a different computer, the files remain encrypted as long as the destination computer allows you to encrypt files and the remote computer is trusted for delegation. Otherwise, the files are decrypted and then transferred as standard files. The same is true when you copy or move encrypted files to a FAT volume on another computer. FAT doesn’t support encryption.

After you transfer a sensitive file that has been encrypted, you might want to confirm that the encryption is still applied. Press and hold or right-click the file, and then select Properties. On the General tab of the Properties dialog box, tap or click Advanced. The Encrypt Contents To Secure Data option should be selected.

Configuring recovery policies

Recovery policies are configured automatically for domain controllers and workstations. By default, domain administrators are the designated recovery agents for domains, and the local administrator is the designated recovery agent for a standalone workstation.

Group Policy Management Console (GPMC) is a feature you can add to any installation of Windows Server 2008 or later by using the Add Roles And Features Wizard. The GPMC is also available on Windows desktops when you install the Remote Server Administration Tools (RSAT). After you add the GPMC to a computer, it is available on the Tools menu in Server Manager. Through the Group Policy console, you can view, assign, and delete recovery agents by following these steps:

1. With the GPMC, you can edit a Group Policy Object (GPO) by pressing and holding or right-clicking the GPO, and then selecting Edit on the shortcut menu. The GPMC then opens the Group Policy Management Editor, which you use to manage policy settings.

2. Open the Encrypted Data Recovery Agents node in Group Policy. To do this, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies, and then select Encrypting File System.

3. The pane at the right lists the recovery certificates currently assigned. Recovery certificates are listed according to who issued them, who they are issued to, expiration date, purpose, and more.

4. To designate an additional recovery agent, press and hold or right-click Encrypting File System, and then tap or click Add Data Recovery Agent. This starts the Add Recovery Agent Wizard, which you can use to select a previously generated certificate that has been assigned to a user and mark it as a designated recovery certificate. Tap or click Next.

5. On the Select Recovery Agents page, you can select certificates published in Active Directory or use certificate files. If you want to use a published certificate, tap or click Browse Directory and then—in the Find Users, Contacts, And Groups dialog box—select the user with which you want to work. You’ll then be able to use the published certificate of that user. If you want to use a certificate file, tap or click Browse Folders. In the Open dialog box, use the options provided to select and open the certificate file you want to use.

SECURITY ALERT

Before you designate additional recovery agents, you should consider setting up a root certificate authority (CA) in the domain. Then you can use the Certificates snap-in to generate a personal certificate that uses the EFS Recovery Agent template. The root CA must then approve the certificate request so that the certificate can be used.

6. To delete a recovery agent, select the recovery agent’s certificate in the right pane, and then press Delete. When prompted to confirm the action, tap or click Yes to permanently and irrevocably delete the certificate. If the recovery policy is empty (meaning that it has no other designated recovery agents), EFS will be turned off so that files can no longer be encrypted; existing EFS-encrypted resources won’t have a recovery agent.

Decrypting files and directories

File Explorer shows names of encrypted resources in green. If you want to decrypt a file or directory, follow these steps:

1. In File Explorer, press and hold or right-click the file or directory, and then tap or click Properties.

2. On the General tab of the Properties dialog box, tap or click Advanced. Clear the Encrypt Contents To Secure Data check box. Tap or click OK twice.

With files, Windows Server decrypts the file and restores it to its original format. With directories, Windows Server decrypts all the files within the directory. If the directory contains subfolders, you also have the option to remove encryption from the subfolders. To do this, select Apply Changes To This Folder, Subfolders, And Files when prompted, and then tap or click OK.

TIP

Windows Server also provides a command-line utility called Cipher (Cipher.exe) for encrypting and decrypting your data. Entering cipher at a command prompt without additional parameters shows you the encryption status of all folders in the current directory.